Snort mailing list archives
Re: Help with a rule
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 06 Mar 2009 12:06:21 -0600
On Fri, 2009-03-06 at 09:12 -0500, Alex Kirk wrote:
First of all, depending on just how much you want to log, going with "alert" instead of "log" and skipping the "tag:session;" may be smart - it would be easy to overload your IDS with this if it's not very powerful, or if it's attempting to do anything else.
Haha.... you're missing the point there Alex. I was just being pedantic. If he wanted to log all HTTP traffic with that Content type, then "log" would be appropriate (he didn't say alert), and of course you would want the whole stream. But I concede...re-reading his email, he just wanted to log every "packet" with that content type, so the tag was indeed unnecessary.
* $HTTP_PORTS is actually a default Snort variable, as opposed to $PORT_HTTP
Didn't catch that, just did a copy'n'paste from Paul's reply (which is where your changes are ending up again). My recursion-avoidance system orders me to discontinue to thread. Just wanted to make you aware that my reply wasn't exactly serious. (I'll put more smileys in there next time). Cheers! Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Joel Esler (Mar 05)
- Re: Help with a rule Paul Schmehl (Mar 05)
- Re: Help with a rule Frank Knobbe (Mar 05)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Alex Kirk (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Message not available
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Markus Lude (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 05)